Bankaların Bilgi Sistemleri ve Elektronik Bankacılık Hizmetleri Hakkında Yönetmelik'in (''Yönetmelik'') Bankacılık Düzenleme ve Denetleme Kurumu (''BDDK'') tarafından düzenlenmiş olup, yürürlük tarihi 1 Temmuz 2020 olarak belirlenmişti.

20 Haziran 2020 tarihinde 31161 sayılı Resmî Gazete 'de yayımlanan Yönetmelik ile yeni bir yürürlük tarihi tadil edilmiş olup, aşağıda yer alan Yönetmelik maddeleri dışındaki Yönetmelik hükümlerinin 1 Ocak 2021'de yürürlüğe girmesine karar verilmiştir:

• Madde 13 : İz kayıtlarının oluşturulması ve takibine yönelik,

• Madde 29 : Dışarıdan hizmet alımı sürecinin yönetimine yönelik,

• Madde 34/f.13 : İşlem güvenliği ve kimlik doğrulamaya yönelik, (elektronik dağıtım kanallarına ilişkin)

• Madde 34/f.15 : İşlem güvenliği ve kimlik doğrulamaya yönelik, (mobil cihazlar üzerinde yürütülen bankacılık uygulamalarının kullanmış olduğu hassas bilgilere ilişkin)

• Madde 37/f.8 : Müşterilere bilgi verilmesine yönelik, (Bankanın dijital ortamda müşterilerine iletilecek olan hassas bilgilere ilişkin)

• Madde 40 : Mobil bankacılığında işlem güvenliği, kimlik doğrulama ve hizmetin kalitesine ilişkin,

• Madde 42 : ATM kullanımındaki kimlik doğrulama ve işlem güvenliğine ilişkin,

Yukarıda belirtilen maddeler yeni yönetmelik dışında olup, 1 Temmuz 2020'de yürürlüğe girecektir.

Bankalarda Bilgi Sistemleri Yönetiminde Esas Alınacak İlkelere İlişkin Tebliğ, Yönetmelik'in yürürlüğe girmesi ile birlikte 1 Ocak 2021'de yürürlükten kalkacaktır.

Yönetmelik'in, kendi kapsamında imzalanacak dış hizmet alımlardaki sözleşmelerinde yer alması zorunlu olan öğeleri düzenleyen 29. maddesi, 1 Temmuz 2020'de yürürlüğe girecek olması sebebi ile bankaların lüzumlu uyumlulaştırma adımlarını bu tarihe kadar gerçekleştirmek ile yükümlü oldukları göz önünde bulundurulmalıdır.

Yapılan değişiklikler, Yönetmelik'te bulunan maddeler için farklı yürürlük tarihleri getirmiş olarak aşamalı bir değişim süreci öngörmüştür. Bu sayede, bankalar yeni yükümlülüklere kendilerini adapte etmek için zaman kazanmış olup, 1 Temmuz 2020 tarihine kadar gereken adımları atarak Yönetmelik'e uymak durumunda kalacaklardır. Detaylı bilgi ve danışmanlık hizmeti için aşağıdaki bilgiler vasıtasıyla bizimle iletişime geçebilirsiniz.

Announcement Deferral of IT Systems and Electronic Banking Services Regulation

The date of validity of the Regulation on Banks' Information Systems and Electronic Banking Services was originally set as 1st of July 2020.

With a new regulation published on the Official Gazette No.31161 on June 20, 2020, the older regulation was amended. It has been decided that the new date of validity of the provisions will be postponed to January 1, 2021, excluding the provisions below:

• Article 13 on following up and composing on the records made on trial,

• Article 29 on management of the process of outsourcing,

• Paragraph 13 on electronic distribution channels of Article 34 on transaction and authentication security,

• Paragraph 15 on subtle information used by banking applications from mobile devices of Article 34 on transaction and authentication security,

• Paragraph 8 concerning electronic transmission of subtle data by the bank to its customers of Article 37 on informing the customers,

• Article 40 on transaction, authentication security and service quality prior to mobile banking,

• Article 42 on transaction and mobile security before ATM's

Aforementioned articles will be entering into force on July 1, 2020.

In Article 4 of the Regulation, bank boards of directors are obliged to address information systems management as part of corporate governance practices; by allocating the necessary financing and human resources for the proper management of these systems; ensuring effective control over information systems for the security, confidentiality, integrity and accessibility of information assets; conducting an effective oversight to manage risks arising from the use of information systems.

At the point of ensuring data security the article 9 titled "Data Privacy" of the Regulation states;

· In case the media or devices containing data are not used anymore, the destruction of the data they contain in accordance with the degree of confidentiality,

· Choosing encryption keys long and determining the validity period according to the critical level of the relevant data or activity, ensuring the security,

· Using end-to-end secure communication in the transmission of sensitive data and storing this data in encrypted form,

· Encryption of the content of all desktop, laptop and mobile devices containing sensitive data allocated to the bank's staff,

· Debit or credit card number in clear text on networked server devices, Applications and precautions such as periodic scanning of server machines is envisaged to determine whether sensitive data such as T.C. identification number are available.

In the Article 10, entitled "Identity and access management" of the Regulation, an authentication mechanism to be applied to the users on the information systems, it is regulated that banks should take the necessary precautions for the privacy and security of this information. In this context;

· Authentication information is encrypted in databases and encrypted while transferring this information is for authentication purposes,

· Protection against unauthorized access or uncontrolled changes in violation of the principle of separation of duties,

· Information about unsuccessful authentication attempts when the relevant user first enters the system, and if the unsuccessful attempts exceed a certain number, the access of the relevant user will be blocked,

· The person performing this attempt is not provided with unnecessary information such as the username information entered incorrectly or the password such a username is not in the system or such a password related username is not in the system or the password was entered incorrectly,

· Regular review of access rights and in the changes in human resources such as recruitment, dismissal and change of duties, deletion, suspension of relevant user accounts, revocation or alteration of the privileges assigned to the user and other matters were discussed.

The considering of the Communiqué on the Principles in Banks' Information Systems Management will be abolished with the full entry of the Regulation into force by January 1, 2021.

It will be worth mentioning that Article 29 of the Regulation will be coming into force on July 1, 2020 which regulates the compulsory provisions of the outsourcing agreements to be completed under the Regulation. Correspondingly, Banks will be obliged to complete the needed harmonization movements by this date.

These amendments will be presenting a progressive transition period through setting different validation dates for the Regulation provisions. Whilst Banks will still have time to conform themselves in accordance with the certain provisions, they also will be needed to take the fundamental actions in order to comply with the provisions stated above, no later than July 1, 2020.

Within the scope of this regulation, minimum procedures and principles to be taken as basis in terms of risks related to electronic banking services and management of information systems used by banks are regulated. These procedures and principles impose a number of obligations on the management of the information systems. In addition, the applications that must be adopted and the precautions to be taken are given in detail in order to ensure the security of both the credentials in the systems and other sensitive data.